Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

On Fri, Oct 14, 2016 at 3:51 PM, Mark Andrews wrote: > > In message , Paul > Wouters w > rites: > > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > > > > > "Using DNAME in the DNS root zone for sinking of special-use > TLDs" ? > > > > > > On Fri, Oct 14, 2016 at 10:04:21AM -0400, > > > Pau

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

On Tue, Oct 18, 2016 at 11:15:32AM -0400, Bob Harold wrote a message of 157 lines which said: > This does not cause any additional load on the AS112 servers. Sparing the AS 112 servers is a non-goal. Their operators never said they were overloaded. ___

Re: [DNSOP] Working Group Last Call

[ Top-post ] Much thanks to Matthijs for providing text - I really apprecaite it. I have integrated / merged it. If anyone has additional wildcard text please let me know -- otherwise are we calling this cooked? W On Fri, Oct 14, 2016 at 8:44 AM, Matthijs Mekking wrote: > Hi Warren, > > On 08-

Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-ietf-dnsop-nsec-aggressiveuse

On Mon, Oct 10, 2016 at 6:15 PM, Mark Andrews wrote: > > In message <0be787cd-3877-48c0-8bf9-3e15f605d...@dnss.ec>, Roy Arends writes: >> On 10 Oct 2016, at 21:39, Mark Andrews wrote: >> >=20 >> >=20 >> > In message , Roy Arends = >> writes: >> >> Having read the draft >> >>=20 >> >> How does one

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

>I would think that the best approach might be: >- insecure delegation to 127.x.x.x, so that queries do not leak past the >host of the local resolver. This is the best we can do for the CPE >equipment and other resolvers that will not be updated until they are >replaced. >- add .local to resolvers

Re: [DNSOP] ECDSA woes

Mikael, On Oct 15, 2016, at 11:22 AM, Mikael Abrahamsson mailto:swm...@swm.pp.se>> wrote: These kinds of migration scenarios to newer algorithms MUST be hashed out, because otherwise we're never going to be able to deploy new algorithms (and per previous experience, it seems we want to change

Re: [DNSOP] review of draft-ietf-dnsop-no-response-issue-05

On 16 October 2016 at 21:15, Mark Andrews wrote: > > In message g0...@mail.gmail.com> > , Matthew Pounsett writes: > > > > > > But not all registries as so constrained. This is BEST current > > > practice not LOWEST COMMON DEMONINATOR practice. > > > > > > GTLD are required to remove records fo

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

On Fri, Oct 14, 2016 at 10:04 AM, Paul Wouters wrote: > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > >> draft-bortzmeyer-dname-root >> >> , >> which proposes to "sink" special-use TLD (may be you've heard of RFC >>

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

In message <20161018175340.26608.qm...@ary.lan>, "John Levine" writes: > >I would think that the best approach might be: > >- insecure delegation to 127.x.x.x, so that queries do not leak past the > >host of the local resolver. This is the best we can do for the CPE > >equipment and other resolve

Re: [DNSOP] ECDSA woes

In message <57579895-55ef-439d-9e10-2f2b349e5...@isoc.org>, Dan York writes: > Mikael, > > On Oct 15, 2016, at 11:22 AM, Mikael Abrahamsson > mailto:swm...@swm.pp.se>> wrote: > > These kinds of migration scenarios to newer algorithms MUST be hashed > out, because otherwise we're never going to be

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

If we're going to ask people to change their software, how about asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in their caches? Those deal with .local and .onion leaks at the same time they do other useful stuff. No. They slow the leaks. They do not STOP the leaks. They

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

In message , "John R Levine" writes: > >> If we're going to ask people to change their software, how about > >> asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in > >> their caches? Those deal with .local and .onion leaks at the same time > >> they do other useful stuff. > > >

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

No. They slow the leaks. They do not STOP the leaks. They depend on leaks to work. With a 24 hour TTL on the root zone, it ain't going to leak very much. The practical TTL is 3 hours. How come? This is a real question, unbound appears to believe the 24 hour TTL. But dummy stub zones

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

I would encourage you to write up some terminal state, either for publication as an informational or in some other document series. People find stuff, and if you link to it in the mail archives, it will be a useful reminder of where we got to on the conversation. On Wed, Oct 19, 2016 at 8:38 AM,

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

In message , "John R Levine" writes: > >>> No. They slow the leaks. They do not STOP the leaks. They depend on > >>> leaks to work. > >> > >> With a 24 hour TTL on the root zone, it ain't going to leak very much. > > > > The practical TTL is 3 hours. > > How come? This is a real question, unb

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

Mark, thats a bit of an unsatisfactory answer. the RFC (which you authored) says: "...As with caching positive responses it is sensible for a resolver to limit for how long it will cache a negative response as the protocol supports caching for up to 68 years. Such a limit should not be g

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

In message , George Michaelson writes: > Mark, thats a bit of an unsatisfactory answer. the RFC (which you > authored) says: > > "...As with caching positive responses it is sensible for a resolver to >limit for how long it will cache a negative response as the protocol >supports cachin

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

A short time ago, in a time zone not far away, Warren Kumari wrote: On Fri, Oct 14, 2016 at 10:04 AM, Paul Wouters wrote: > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > >> draft-bortzmeyer-dname-root >> >> ,